Commit Graph

8 Commits

Author SHA1 Message Date
Ophestra Umiker 08ce7f4a1f
cmd/fuserdb: systemd userdb drop-in entries generator
test / test (push) Successful in 21s Details
This provides user records via nss-systemd. Static drop-in entries are generated to reduce complexity and attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-17 02:03:18 +09:00
Ophestra Umiker df33123bd7
app: integrate fsu
test / test (push) Successful in 21s Details
This removes the dependency on external user switchers like sudo/machinectl and decouples fortify user ids from the passwd database.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-16 21:19:45 +09:00
Ophestra Umiker 45fead18c3
cmd/fshim: set no_new_privs flag
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 11:50:56 +09:00
Ophestra Umiker 88abcbe0b2
cmd/fsu: remove import of internal package
test / test (push) Successful in 24s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-04 12:32:14 +09:00
Ophestra Umiker 8cd3651bb6
cmd/fshim/ipc: friendly setup timeout message
test / test (push) Successful in 22s Details
This message eventually gets returned by the app's Start method, so they should be wrapped to provide a friendly message.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-03 02:03:30 +09:00
Ophestra Umiker 584732f80a
cmd: shim and init into separate binaries
test / test (push) Successful in 19s Details
This change also fixes a deadlock when shim fails to connect and complete the setup.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-02 03:13:57 +09:00
Ophestra Umiker aa1f96eeeb
fsu: check parent executable path
test / test (push) Successful in 19s Details
Only allow main program to launch fsu. This change and further checks in the main program reduces attack surface.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 18:52:23 +09:00
Ophestra Umiker d9cb2a9f2b
fsu: implement simple setuid user switcher
Contains path to fortify, set at compile time, authenticates based on a simple uid range assignment file which also acts as the allow list.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-28 00:02:34 +09:00